Its a rule that the REFramework violates (at least in the one that is modified to load credentials to the Config Dictionary), but it doesnt proc the rule because the securestring is in a Dictionary<string, SecureString> and it doesnt realize the SecureString in the Dictionary.
It in my opinion should only be a warning as its not so serious if you pass from one workflow to another as thats no different than passing it from the workflow to the activity that uses it.
That being said, it is a good idea to keep the scope small, however I’ve suggest not only doing that with Credential type assets but all assets, ditch the config and just grab an asset the moment you need it.